linux/net/mac80211
Johannes Berg 827d42c9ac mac80211: fix spurious delBA handling
Lennert Buytenhek noticed that delBA handling in mac80211
was broken and has remotely triggerable problems, some of
which are due to some code shuffling I did that ended up
changing the order in which things were done -- this was

  commit d75636ef9c
  Author: Johannes Berg <johannes@sipsolutions.net>
  Date:   Tue Feb 10 21:25:53 2009 +0100

    mac80211: RX aggregation: clean up stop session

and other parts were already present in the original

  commit d92684e660
  Author: Ron Rindjunsky <ron.rindjunsky@intel.com>
  Date:   Mon Jan 28 14:07:22 2008 +0200

      mac80211: A-MPDU Tx add delBA from recipient support

The first problem is that I moved a BUG_ON before various
checks -- thereby making it possible to hit. As the comment
indicates, the BUG_ON can be removed since the ampdu_action
callback must already exist when the state is != IDLE.

The second problem isn't easily exploitable but there's a
race condition due to unconditionally setting the state to
OPERATIONAL when a delBA frame is received, even when no
aggregation session was ever initiated. All the drivers
accept stopping the session even then, but that opens a
race window where crashes could happen before the driver
accepts it. Right now, a WARN_ON may happen with non-HT
drivers, while the race opens only for HT drivers.

For this case, there are two things necessary to fix it:
 1) don't process spurious delBA frames, and be more careful
    about the session state; don't drop the lock

 2) HT drivers need to be prepared to handle a session stop
    even before the session was really started -- this is
    true for all drivers (that support aggregation) but
    iwlwifi which can be fixed easily. The other HT drivers
    (ath9k and ar9170) are behaving properly already.

Reported-by: Lennert Buytenhek <buytenh@marvell.com>
Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-11-30 13:55:51 -05:00
..
aes_ccm.c
aes_ccm.h
aes_cmac.c
aes_cmac.h
agg-rx.c mac80211: fix two remote exploits 2009-11-30 13:52:21 -05:00
agg-tx.c mac80211: fix spurious delBA handling 2009-11-30 13:55:51 -05:00
cfg.c mac80211: check interface is down before type change 2009-11-02 15:14:07 -05:00
cfg.h
debugfs_key.c
debugfs_key.h
debugfs_netdev.c mac80211: New stat counters for multicast and unicast forwarded frames 2009-08-20 11:36:04 -04:00
debugfs_netdev.h
debugfs_sta.c mac80211: improve per-sta debugfs 2009-07-10 14:57:54 -04:00
debugfs_sta.h
debugfs.c mac80211: remove master netdev 2009-07-24 15:05:30 -04:00
debugfs.h
driver-ops.h mac80211: remove tasklet enable/disable 2009-08-28 14:40:34 -04:00
driver-trace.c mac80211: fix sparse warnings/errors 2009-08-04 16:43:25 -04:00
driver-trace.h mac80211: allow configure_filter callback to sleep 2009-08-20 11:35:58 -04:00
event.c cfg80211: use proper allocation flags 2009-07-10 15:01:49 -04:00
ht.c mac80211: fix spurious delBA handling 2009-11-30 13:55:51 -05:00
ibss.c mac80211: fix BSS leak 2009-10-30 15:50:24 -04:00
ieee80211_i.h mac80211: fix spurious delBA handling 2009-11-30 13:55:51 -05:00
iface.c net: Add DEVTYPE support for Ethernet based devices 2009-09-11 12:54:55 -07:00
Kconfig wireless: remove mac80211 rate selection extra menu 2009-09-02 15:29:03 -04:00
key.c mac80211: fix todo lock 2009-07-10 15:01:48 -04:00
key.h nl80211: Add RSC configuration for new keys 2009-05-13 15:44:39 -04:00
led.c
led.h
main.c mac80211: remove tasklet enable/disable 2009-08-28 14:40:34 -04:00
Makefile cfg80211: self-contained wext handling where possible 2009-07-29 15:46:20 -04:00
mesh_hwmp.c mac80211: trivial: fix spelling in mesh_hwmp 2009-10-27 16:29:47 -04:00
mesh_pathtbl.c mac80211: Move mpath and mpp growth to mesh workqueue. 2009-08-14 09:14:01 -04:00
mesh_plink.c mac80211: Fix invalid length passed to IE parser for PLINK CONFIRM frames 2009-08-14 09:14:06 -04:00
mesh.c mac80211: Update mesh config IE to 11s draft 3.02 2009-08-28 14:40:24 -04:00
mesh.h mac80211: Decouple fail_avg stats used by mesh from rate control algorithm. 2009-08-20 11:36:02 -04:00
michael.c
michael.h
mlme.c mac80211: keep auth state when assoc fails 2009-10-27 16:29:47 -04:00
pm.c mac80211: fix configure_filter invocation after stop 2009-08-28 14:40:25 -04:00
rate.c mac80211: remove master netdev 2009-07-24 15:05:30 -04:00
rate.h mac80211: rate control status only for controlled packets 2009-03-27 20:13:15 -04:00
rc80211_minstrel_debugfs.c net: file_operations should be const 2009-09-02 01:03:53 -07:00
rc80211_minstrel.c rc80211_minstrel: fix contention window calculation 2009-09-23 11:35:42 -04:00
rc80211_minstrel.h mac80211: Remove unnused throughput field from minstrel_rate. 2009-08-28 14:40:34 -04:00
rc80211_pid_algo.c rc80211_pid_algo.c: remove unused variable declaration 2009-08-20 11:36:03 -04:00
rc80211_pid_debugfs.c headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
rc80211_pid.h
rx.c mac80211: document ieee80211_rx() context requirement 2009-10-12 15:55:53 -04:00
scan.c mac80211: fix DTIM setting 2009-09-23 11:35:53 -04:00
spectmgmt.c mac80211: move channel switch code 2009-05-20 14:46:25 -04:00
sta_info.c mac80211: fix vlan and optimise RX 2009-10-07 16:33:49 -04:00
sta_info.h mac80211: fix PS-poll response, race 2009-07-27 15:24:19 -04:00
tkip.c mac80211: add driver ops wrappers 2009-05-06 15:14:37 -04:00
tkip.h
tx.c mac80211: fix for incorrect sequence number on hostapd injected frames 2009-10-27 16:29:48 -04:00
util.c mac80211: fix resume 2009-11-19 11:08:39 -05:00
wep.c cfg80211: rework key operation 2009-07-24 15:05:09 -04:00
wep.h cfg80211: rework key operation 2009-07-24 15:05:09 -04:00
wme.c mac80211: remove master netdev 2009-07-24 15:05:30 -04:00
wme.h mac80211: remove master netdev 2009-07-24 15:05:30 -04:00
wpa.c cfg80211: use proper allocation flags 2009-07-10 15:01:49 -04:00
wpa.h